Cryptocurrency mining malware could be hiding in your Adobe Flash Update, according to new research from cybersecurity firm Palo Alto Networks. Although not a new hacking tactic, the latest analysis shows a significant spike in Adobe Flash updaters which can go on and hide in the background and do damage to Windows systems.

Per the research in the study, there were a total of 113 fake updaters discovered on the web, none of which are hosted on official Adobe servers. A spike in these URLs appeared as early as June 2018, and then again in September 2018. The research doesn’t make it clear how one can arrive at these, but it shows that spoof URLs are the likely root cause.

In a test of one of these URLs on August 24, Palo Alto Networks revealed that the bogus Adobe updaters go on to legitimately update Flash Player and throw an unsuspecting user to an official Adobe website on completion. Unfortunately, it also ends up embedding an “XMRig” mining bot in the process. That bot then runs in the background, making a CPU go 100-percent full force, mining “Monero” cryptocurrencies for hackers. There’s no warning, and the only way to tell where connections were going was by analyzing the networking traffic.

“This campaign uses legitimate activity to hide distribution of cryptocurrency miners and other unwanted programs. Organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates,” explains Palo Alto Networks.

Cryptocurrency malware is not a new phenomenon and has sometimes proven tough to remove from infected systems. Back in May, one strain of this type of malware crashed the PCs of those who manually tried to kill off the mining process from the task manager.

Adobe is actually ending support for Flash Player in 2020 and wants content creators and consumers to move to the much more secure HTML 5 platform. The firm cited browser plugins in that decision, noting that these can disrupt secure environments, cause browser instability issues, and open up browsers to hacking. Flash is mainly obsolete anyway, and many browsers are already blocking the plugin from starting automatically. It’s all one step toward a safer internet for us all.